Advisory: SQL Injection in PHPGurukul Hospital Management System (HMS)

Vendor

• Name: PHPGurukul
• Product: Hospital Management System (HMS)
• Version: 4.0 (Latest)

Vulnerability Details

• Type: SQL Injection (Time‑Based Blind)
• Status: Unpatched
• Affected File: /hms/admin/manage-doctors.php
• Parameter: id (triggered via the del action)

Description

The id parameter in the manage-doctors.php file is directly concatenated into a SQL DELETE query without sanitization or use of prepared statements. This flaw allows an authenticated attacker to inject arbitrary SQL commands. Because the vulnerability is time‑based blind, exploitation relies on observing delays in server responses to infer query results.

Impact

Successful exploitation could allow:

• Unauthorized Data Deletion: Attackers can delete records from critical tables.
• Sensitive Information Disclosure: Extracting confidential patient or staff data.
• Privilege Escalation: Manipulating user accounts or roles.
• Complete System Compromise: Gaining control over the database and potentially the application server.

Severity

• CVSS (Estimated): High (likely 8.0–9.0 range depending on environment)
• Attack Vector: Remote, authenticated
• Attack Complexity: Low

Recommendations

Until a patch is released, administrators should:

• Apply Input Validation: Sanitize and validate all user inputs.
• Use Prepared Statements: Replace dynamic SQL queries with parameterized queries.
• Restrict Database Privileges: Ensure the application account has minimal permissions.
• Monitor Logs: Watch for suspicious activity, especially repeated delays in queries.
• Web Application Firewall (WAF): Deploy rules to detect and block SQL injection attempts.